Excellent work
This is truly excellent work. I expect a lot more from the banks. I expect the banks to be at the bleeding edge of security, not in the wake, behind everyone else.
The latest evolution of a high-profile security flaw potentially exposes UK banks' web site traffic to eavesdropping. The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw first surfaced in October and was thought to affect only the obsolete - but still widely used - Secure Sockets Layer (SSL) 3.0 crypto …
Yup, I said the same to Natwest when I sent them the results of a quick analysis of their Internet Banking a month or two back (vested interest, as I'm a customer).
They were somewhat disinterested, especially given that it's not unreasonable to expect them to uphold high standards.
I'd not trust the banks.
My latest bank offers to show me my pin. I need to enter it in the online banking first, but then it shows me this.
I'm still undecided if this is a security risk. I'll leave them if it is. Previously, the pin was not viewable by anyone, and only receivable in a tamper proof (at least gives visible results of tampering) envelope.
I'm not being obsessed or anything, it's just I'd rather not bank with a company that allows someone to request my pin if they get hold of my card and just enter the details online for a "reminder". Or a bank that does not see the uselessness of a pin reminder that first requires me to enter my... PIN!
It's shown on the screen. I don't care if it's salted and hashed. It's sent to a recipient a the other end of the PC/Mobile. It boggles my mind how they decided that a phone request/fax or visit to the Bank in the past was a breach of security if they suggested giving out a pin, but are happy to on the internet?
Actually most places other than the UK have reasonable (or at least a lot better) online banking for example the online security is secured by a card reader for challenge/response and signing in the benelux banks for more than a decade. But then again they pay their bankers less (and perhaps more is spent on security - one can hope).
This post has been deleted by its author
RBS turning out to be technically inept? Surely not.
But instead of trying to do their job for them (when they clearly don't care), why not use the fast account switching service to somebody who is less bad on security? If you know enough to make that a reason for moving, you'll have a view on who you might trust?
That's easier said than done.
Purely based on a Qualys check, you'd pick Santander. Quite honestly, they would be the last bank I'd choose if security was a serious concern.
https://www.google.co.uk/#q=santander+paul+moore
You'll find several of my articles dotted about, on net-sec, ThreatPost, Softpedia etc.
That's a tough one.
You'll struggle to find any recent (or accurate) assessments, as the only people that truly know are bound by *very* tight non-disclosure agreements.
About 12 months ago, I contacted every UK bank to ask for detailed information on how they handle passwords. Some were in plain text, others were "encrypted" but wouldn't discuss how. Of them all, First Direct (an HSBC company) came out on top. They wouldn't disclose exactly how they were stored either, but their responses to quite lengthy questions were broadly spot on... which helps instill confidence at least. Ironically, HSBC directly were one of the worst... so who knows ;)
I reported issues to my bank, Barclays, last month. I never received a reply or acknowledgement.
When I discovered just how bad their security was I started shopping round for some place better, but as this article points out, they are all just as bad. It's not the vulnerability to Poodle but a long list of stuff like a lack of support for DHE/ECDHE key exchange meaning no forward security and support for insecure ciphers like RC4.
I found Amex storing key customer session data in cookies on customer machines in 2005 and tried to report it. The result was NIL. ZILCH. NADA. I got continued "be a good customer, do not be disturbed" responce until I cancelled my account. THEN and only THEN, someone from Amex security looked into it. Prior to that - "S.E.P".
In any case - quick test on Nationwide shows TLS 1.1. My banking abroad in the wild east is at 1.1 too - it used to use client side certificates until 2005 and has been using challenge/responce since 2005.
Amex is still ... drum roll... - 1.0 (cannot check easily if it is poodle susceptible - SSL 3.0 is disabled "in depth" in this house). This pretty much says everything there is to be said here.
As I understand it the problem with the original POODLE is that the SSL 3.0 specification was broken - so if you are using SSL3 you are vulnerable.
With POODLE against TLS the problem is that some companies'(*) _implementations_ of TLS were vulnerable. So, if you are using TLS it depends on who wrote the implementation whether or not you are vulnerable.
(*)e.g. A10 and F5, both of whom released fixes very soon after - if your bank is using either company they should have applied the patches by now
This is the same RBS who helpfully tell us:
"We've thoroughly tested the One account website to make sure you can view it with the following browsers:
Microsoft Internet Explorer Version 5.0, 5.5 and 6.0 for PCs and 5.0 for Macs
Netscape Navigator Version 7 for PCs and Macs."
They then go on to provide a (broken) link to download the latest version of Netscape Navigator for those who haven't yet reached v7.
Very helpful. You also need a 28.8k modem to access online banking, apparently.